Using technology from Path Intelligence, major malls and retailers are …

Online retailers have long gathered behavioral metrics about how customers shop, tracking their movements through e-shopping pages and using data to make targeted offers based on user profiles. Retailers in meat-space have had tried to replicate that with frequent shopper offers, store credit cards, and other ways to get shoppers to voluntarily give up data on their behavior, but these efforts have lacked the sort of data capacity provided by anonymous store browsers—at least until now. This holiday season, shopping malls in the US have started collecting data about shoppers by tracking the closest thing to "cookies" human beings carry—their cell phones.

The technology, from Portsmouth, England based Path Intelligence, is called Footpath. It uses monitoring units distributed throughout a mall or retail environment to sense the movement of customers by triangulation, using the strength of their cell phone signals. That data is collected and run through analytics by Path, and provided back to retailers through a secure website.

On March 31, Path CEO Sharon Biggar presented the tech at the ICSC Fusion conference in Los Angeles. She discussed how data collected by Footpath could be used by retailers to boost revenue. Options include tracking response to mailers and other advertising by providing the equivalent of web metrics like unique visitors, "page impressions" (measuring how many people walked past a display or advertisement), and "click-through" (determining how many people who passed an advertisement then visited the store associated with it). "Now we can produce heat maps of the mall and show advertisers where the premium locations are for their adverts," she said, "and perhaps more importantly we can price the advertising differently at each location."

In the US, Footpath is being trailed in two malls by Forest City, a mall real estate company that owns malls and shopping centers nationwide. Promenade Temecula in Temecula, California, and Short Pump Town Center in Richmond, Virginia are the sites of choice; the trial starts today, and will run through New Years. In a written statement, Forest City's spokesperson Lindsey Cottone said that Forest City was being "totally transparent" about the trial, posting signage to "inform customers that the survey is taking place."

Forest City's senior vice president of marketing, Jane Lisey, emphasized that the company was not collecting personally identifiable information about shoppers from their phones, and that customers' phone numbers and other information were protected by their wireless carriers. "Before agreeing to test this technology it was essential to determine and guarantee that the personal information of our shoppers would be completely anonymous to all parties," she said.

While Footpath uses only the signal fingerprint of the phone, it does give a fairly accurate record of where the phone has travelled through a mall. According to the editor of trade site Storefront Backtalk, Evan Schuman, the data can be paired with other sources of data, including surveillance video and point-of-sale transaction information. If they went this route, retailers would get a very detailed profile of who's carrying each phone.

"Some malls are even using facial recognition software," Schuman told Ars Technica in a phone interview, with the primary purpose of "loss prevention"—identifying shoplifters. But that data, he said, could be tied to location data to be turned into customer relationship management data. Mall operators could then theoretically sell data to retailers, alerting them when big-ticket shoppers were approaching so that they could be given personalized service.

There's just one problem with this type of detailed tracking: it's technically illegal, according to Mark Rasch, the director of cybersecurity at CSC. Thanks to court interpretations of provisions in the USA PATRIOT Act, he said in a recent blog, devices that measure cell phones' signal strength could be considered to be "pen registers"—monitoring devices that require a warrant.

"Although this mall technology might not identify specific individuals, it raises a bunch of privacy red flags," he wrote. "First, the instant the consumer identifies himself or herself anywhere in the mall (say, by using a credit or debit card to buy something), it is a trivial task to cross reference the cell phone data with the payment data and realize that the person hanging around outside the Victoria’s Secret dressing room was your 70-year-old neighbor."

That's more information than many consumers are interested in divulging. So far, however, there's been no sign that the legality of the service will be tested in court. And retailers could conceivably use the same justification for the technology that they use for facial recognition software: "loss prevention." In many jurisdictions, real estate owners are given wide latitudes about what they monitor on their own premises.

195 Reader Comments

Alternately, it could be used to show that a sex offender is hanging out just outside of the child sitting service the mall offers when they have a court order to stay away from things like that.

That is how crap like this moves from 'reprehensible conduct that should be prohibited' to 'acceptable and praiseworthy'. Dispite what you see on TV or read in the newspapers, the world is not full of sexual predators looking for their next target. What it is full of is people who want to monitor and control what everyone does. Those people are willing to make you as scared as they possibly can so you will grant them the ability to do all the monitoring and controlling their black little hearts desire.

Sounds to me like the solution is then to never let a sexual predator out since that's the only way to contain the "fear" and preserve your "rights". Hope no one minds paying for it or the nimby factor when it comes to building new prisons.

That's why in many of the Asian countries and the Arab nations sexual predators get a bullet in the head and all his misery is gone. I'm for this very much myself and especially for the child molestors they deserved a much longer sentence than our courts hang out now these days. But we always claimed to be that we are the number one demcratic nation in the world. Are we? What can I say?

On other hand. the term sexual predator is very broad. Many of these convicts were set up by the cops and they had wrongfully accused of rape like the Mike Tyson's case, who had been set up by the cops. IMO. What about the founder of wikiLeak, who was accused of two counts of rape in France? He's definitively set up by the French cops in favor of the U.S. cops. Oh beloved cops.. cops.. our brothers, who else have that power to destroy the life of another person?

Just to say an example to back up my claims against the cops. Now.. Is Mike Tyson endangering the public? Is the founder of wikiLeak a dangerous predator against all women? I don't think so. Should these two individuals be banned from the child sitting services in the mall? I don't think so either.

This agree.

Quote:

rdamiani wrote:

the world is not full of sexual predators looking for their next target. What it is full of is people who want to monitor and control what everyone does. Those people are willing to make you as scared as they possibly can so you will grant them the ability to do all the monitoring and controlling their black little hearts desire.

It depends on the motivation of the tracking. If someone have a tons of money to challenge the mall on that ground he might be able to win the sue against the mall. The question is do you have that kind of time and money? And I believe the mall is fully aware of this and they came up with this crap to f*ck with the shoppers. Because they knew it very well no one would take that headache and call it a quit.

I disagree, it doesn't really matter WHY they want to do the tracking. Just like, it doesn't really matter WHY I am speeding (unless it's for self-defense or something) or writing bad checks or failing to show up for court dates. The question is, do you have a right not to have third parties observe the fact that you are transmitting certain frequencies in a public place? I say no, it would be as absurd as saying that people don't have a right to look at your face. You are in a public place, emitting photons to everyone. Your signals are literally passing directly through the mall's property as well as the body of everyone who is shopping there. You can't possibly have a right to force everyone to ignore it. Especially because if you don't like it, you have a very simple and effective option: stop transmitting.

Traffic law, writing bad checks and failing to show up for court dates are written in stone for anyone to violated it he must pay for his violations. As for this tracking the shoppers its legality is still debatable whether the mall has the rights to violated the privacy of their shoppers on its private property. And the reason they're doing it.

You may stare, look at my face 10, 15 or 20 feet away. But if you stare at my face say within 3 feet? Do you still have that right?

If the transmission tie to my name and phone number, it's definitely an invasion of privacy and don't matter how the mall put it.

Btw, just to let whoever concern of this, when we walk passed the RFID detector at the public libraries, state/federal buildings and any of public places where there are set up of RFID detectors including the malls the security guards will notify the cops your presence if you're on the police watch lists. Just saying.

Is it legal to do this with wifi and bluetooth but not 3G/edge ?Could do the same as the wifi by using femto cells.

If this is illegal why is it legal for carriers to sell information gathered in the same way via their mobile phone base stations about vehicle traffic , pedestrian traffic(to cities and urban planning/construction companies) etc

Immediately the thought of Opt-in came to mind. It's the same sort of tracking that happens when you use a web application. If the tracking and location data is acquired as a tertiary benefit to a real business transaction then collecting it is not out of the question. You're getting a benefit from the data and you opted into the arrangement. The mall cameras are anything but opt-in because they happen regardless of your consent. I'd imagine that you can visit those museums and not use the tablet/phone guide.

No one is forcing people to breath either, but they still do it. Why? Because its essential to everyday life.

The government classes and treats the economy as a national resource, the products used in everyday life are in the stores, essential items used in everyday life are in the stores, the stores collectively are part of the national economy.

Yes, you are forced to "shop there", its where the essential (and other) things are that support every day life for society at large.

Are you suggesting that its some sort of automatic "opt-in or agreement" to have personal data collected or to be tracked simply because a person participates in the economy by shopping the places where essential items are available for everyday life?

Retailers have been monitoring footfall in stores for years, it's a simple extension of that using phone signals to the rest of the store / mall or where ever they decide to place something like this.

As long as they don't do a Google and collect other data in the process. Just looks like my phone will start to live on Airplane mode more often than not.

True, they have been doing so for years. However, its not a simple extension. One does not equate to the other. The traditional monitoring is based upon buying patterns and general demographics (e.g., "ages 12 to 18 are more likely to buy bubble gum"), there were not to many opportunities for abuses with the traditional method. This method is based upon specific targeting, its a shift away from the traditional to specific targeting, and possibly gathering personal data to target with which opens the door for many abuses of that personal data.

The key problem I see is that while the sign in the photo discloses what the mall owners are tracking/collecting, it fails to explain how shoppers can opt out.

They can leave the damn phone in the car if it really bothers them that much. Or turn it off. Contrary to what many people seem to think these days, you can survive without a cell phone glued to your person for an hour or three. Barring that, they can go shop somewhere else.

You want to make $85 hourly and $7000 per month like me just working on laptop for few hours! Would you like to be your own boss!Opportunities like this don't come by often. Don't let this one pass you by! ead about it on this web site Read this site (=====CashHuge.com=====)

The key problem I see is that while the sign in the photo discloses what the mall owners are tracking/collecting, it fails to explain how shoppers can opt out.

They can leave the damn phone in the car if it really bothers them that much. Or turn it off. Contrary to what many people seem to think these days, you can survive without a cell phone glued to your person for an hour or three. Barring that, they can go shop somewhere else.

Well, one would have to ban cameras, because facial recognition is evolving faster then you think. The gov will just put it under HLS and be done with it. What I haven't figured out is that politicians fall under the same laws as they pass, unless their the only ones whom can opt out of their own legislation.

The key problem I see is that while the sign in the photo discloses what the mall owners are tracking/collecting, it fails to explain how shoppers can opt out.

They can leave the damn phone in the car if it really bothers them that much. Or turn it off. Contrary to what many people seem to think these days, you can survive without a cell phone glued to your person for an hour or three. Barring that, they can go shop somewhere else.

Your life is not being impacted or screwed with, in anyway. You are not losing anything, just because they are using your passive cell phone signals to track your behavioral patterns.

Let's say they figured out:

1) you hit the mall food court first, and spend 30 minutes there for lunch2) next you hit EBgames/Gamestop(shudder)3) then you hit the men's suit store

...OK? So now what? What are they gonna do, with that info? But more importantly - even with that info, what - in that information - could they do, to actually hurt you?

Let me guess, nothing. Let's just get the nuclear war thinking out of our heads, people. They are not out to try to kill us(be reasonable people). They have every interest that we're alive, so that we might willingly spend money on stuff. Willingly, which is OUR choice to make.

How is that evil? Go ahead and track me(honestly Google already has - I'm using an Android phone).

It's kinda humorous reading all the disgruntled opinions about this prospect. Humorous because it hits home to all-you'all that have cell phones but still expect privacy. You ought to know that you signed away a humongous proportion of your privacy when you purchased cell phone service, to begin with... CALEA (the Communications Assistance for Law Enforcement Act of 1994) was passed back during the Clinton administration, although its roots go back further. CALEA required telecommunications carriers to design their services and equipment with built-in surveillance capabilities in mind. 'Evolution' was the first and only commentator to mention RFID (the "up and coming" - the most expectant form of electronic article surveillance). Indeed; merchants have been able to track the meanderings & whereabouts of shoppers for a long time now. Up to 3 miles away sometimes. Who needs cell phones to track shoppers... I don't do plastic money, Smart Card credit cards, Ipods, Ipads, Icrap, Winders 7 or 8, cellphones or shopping malls. That's just me. I've got nothing to hide, but this prospect of omnipresent facial recognition software still has me peeved...

Why leave your phone in the car or have it turned off when all you have to do is bag your phone and other RFID cards with aluminium foil or even better make it a permanent cell phone case of it. They sell this stuff in the store or make your own.

Dont' know what I'm talking about? Check out the movie "Enemy of the state."

My guess is this idea of tracking the shoppers must have come from mall security. Hey there must be someone suggesting it right? Cops most likely was the one. As we knew it, many of the security guards at the mall make up of either retired cops or off duty cops or cops related people (reserve cops) who are there to make a few extra bucks. They want this go nationwide so to help the cops harassing those who are being harassed because when one mall does it mostly likely many others will follow. Human nature.

Dont' remember the year made. It was Gene Hackman and Will smith who was being tracked by the State with micro tracking device hidden in Will Smith's shoe or writing pen don't remember which and Gene Hackman found the device and put it in a potato chip bag the type made of aluminium foil. Bless the movie it is more of a warning to us "Hey the state has this stuff to track you down..." It looks funny to me at that time I watch the move but later think of it it ain't funny at all. It's sh*t.

I wish the article had done less conflating of the actual tech this company is using to the potential what-if-everyone-is-evil conclusion jumping. Simply put, there is nothing in your the transmissions your phone makes while in idle mode that could be intercepted to tell anyone your name, phone number our anything else personally identifying. There is a temporary ID that the network knows is associated with your account, but that's it, and that's likely what this company is using to keep track of an individual PHONE's movements. I wish the article had just explained this and saved everyone so much hand wringing. Sure if somehow someone with access to the phone movement data could identify you personally later, they could figure out your movements throughout the mall (duh, liked CCTV), but that's a separate discussion. It's a little like saying your credit card company can track your movements by watching where you use your card across town. Sure, but who cares - what sinister thing am I worries about my cc company doing with that info? (I say "a little" because cc companies already do that and this mall tech doesn't even know who you are). The exact same thing can be accomplished thru use of CCTV.

I wouldn't worry a thing whether it gives out my personal info or just a RF signal without identifing my true identity. A saying, "The best defense is offense". Your best way to handle this situation is a lawsuit. Take them to court and grill their asses.

[while I'm at it]

FYI. When the city libraries/city/state/federal buildings and even residental buildings alert the cops your whereabout using their RFID equipments, and if this was without a warrant? You may sue, big time.

Just a few months back from the news, there was this private security company, for an unknown reasons lost its contract with the city of Antioch. The city is about 40 miles east of San Francisco. The company have done surveillence for the local police and the sheriff department.

What happen?

People at the surveillance often abuse their power. Mouth off about their targets. Making up stories such as the suspect is a pedophile, rapist. One crime most people hated are the sexual predators.

Not sure if that's the case but I believe there were police harassment complaints and may be lawsuits against the city of Antioch. The rest is history.

And yes, this should be illegal and challenged in court. Once my mall tries it I'm going to take them straight to court.

On what legal theory? You're carrying an electromagnetic transmitter in your pocket. On what legal grounds can you complain about someone else observing your EM emissions? Especially when you are on their premises?

My guess is this idea of tracking the shoppers must have come from mall security. Hey there must be someone suggesting it right?

Hmmm...nope, came from Path Intelligence, a UK based company which states on their web site:

"Path Intelligence provides FootPath, a unique and breakthrough product, which can gather information on pedestrian behaviour and flow on a continuous basis, 24 hours a day 365 days a year, using mobile phone technology."

Then from the article, the attributed statements:

"While Footpath uses only the signal fingerprint of the phone, it does give a fairly accurate record of where the phone has travelled through a mall. According to the editor of trade site Storefront Backtalk, Evan Schuman, the data can be paired with other sources of data, including surveillance video and point-of-sale transaction information. If they went this route, retailers would get a very detailed profile of who's carrying each phone"

"Some malls are even using facial recognition software," Schuman told Ars Technica in a phone interview, with the primary purpose of "loss prevention"—identifying shoplifters. But that data, he said, could be tied to location data to be turned into customer relationship management data. Mall operators could then theoretically sell data to retailers, alerting them when big-ticket shoppers were approaching so that they could be given personalized service."

So we have a system that:

1. Was specifically designed to track cell phone movement on a continuous basis, 24 hours a day 365 days a year, (in the shopping area presumably)

2. Produces data (movement data) that can be paired with other sources of information to give "...a very detailed profile of who's carrying each phone" (Thus identifying a specific person)

3. Produces data which "Mall operators could then theoretically sell data to retailers, alerting them when big-ticket shoppers were approaching so that they could be given personalized service."

So, while the basic system is not gathering personal data, it is a system which provides a platform upon which to base other data which when combined can identitify a specific person.

Until this system, the combination of data to identify specific people was based upon actual purchases via electronic means such as credit cards or information already known if provided by a customer. Although the use of a credit card (debit card, etc...) allows a credit card (debit card, etc...) company to see the purchases and thus "track" purchases for the person using the credit card, the credit card company doesn't provide that purchase history (or tracking) to retailers, and the data from those is known only to the retailers through which the purchase was made.

However, with the addition of this cell phone movement tracking method, the possibility is now real that specific individuals can be identified and if, for example, all retailers in a mall can buy that data a person in the mall can be specifically identitifed even if they don't make purchases at a specific place. This is where the difference lies. The potential for abuse is tremendous, even if its just a name, in that the compromise of a name in relation to a "big-ticket shopper" history can be used to target a specific person based upon affluence by those who have no commercial relationship (the shopper has never purchased anything from them before) where as before the information was specific to specific retailers with whom the person had shopped. Thus the potential wide spread dissemination by purchase of the data of the "very detailed profile of who's carrying each phone" is potentially compromising for individuals.

Employee crimes account for billions of dollars lost to retailers each year. With the implementation of this phone tracking method, the possibility and capability is now there to provide "very detailed profile" information (via combined data sources - this method provides the key to do that) that has the possibility to end up in the hands of all dishonest employees allowing them to identifiy specific people based upon purchasing power and allow them to sell that data to other criminal elements (which they already do with credit card numbers when they get them) for comission of further crimes against specifially targeted people. Although the credit card numbers are sold off to criminal elements, they are specific to the places the card was used and its pretty easy to pin down where a particular credit card number was stolen from. With this key piece of technology, identifying a specific person becomes possible for every retailer including the dishonest employee, even those not in malls, by a simple purchase of the data from malls, and now, unlike the credit card numbers, the crime targeting can potentially be from any number of unidentifiable sources. Plus, even if a person doesn't buy certain products, for example, "adult" products (don't mean to be funny here), the ability to potentially buy the data from malls would allow specific people to be targeted by these "retailers" also.

Even if some sort of controls are placed on the data, once its in the hands of a retailer what keeps the retailer or a dishonest employee of further marketing the data? If you don't think a quick thinking dishonest employee will not take advantage of the ability to sell off such information in a "this guy buys some big ticket items so he must have money" or any number of sceinarios, especially in this economic climate, your fooling yourself.

They know damn well what they are planning to do with this new ability created by the introduction of this phone tracking method, they can now, and will, combine all that data and sell it to all retailers (even the ones the person does not shop) in a mall (or it doesn't have to be in a mall, it could be sold to any retailer nation wide), who will use it to target specific people. So, its not the tracking method, its the capability the method now provides. This potential specific "very detailed profile of who's carrying each phone" will not be limited to just malls, other retailers and companies outside of malls will also want in on the game and will find a way to purchase that data from malls, this will go nationwide, there will not be any "just don't shop at the mall" - this data once created is a marketable product and it will be available to any retailer or company via purchase and from those retailers and companies who will soon discover that just as they bought the data that they can use it to sell to others also just like they do the limited information they get now and it will find its way into non-retailer hands.

Yeah, sort of conspiracy or paranoia like, but history has shown us that every time money is involved those who want the money will find some way to make it and at the same time will claim all sorts of legal protections but just because the law says its legal doesn't make it right or innocent.

how we have come to the point that this is acceptable even in theory is beyond me

corporations or malls do not have endless rightsin the case of corps, no they are not people

Yeah, I don't get this either. Why people think this is acceptable and cool, I just don't understand.

People I know have an uncaring complacent attitude and I think that's a part of why this is happening.

It doesn't make sense. People have rights; corporate bodies don't have the rights people do. Then corporations are recognised as people and get all these rights. Then more so as time goes on but we people don't deserve rights and they get taken away from people. But if corporations are people why are people allowed rights but not.

Oh..... those people are....

==========================================================

How do we edit posts? I don't see an option. Is it revealed after "x" posts?

As far as I know thats how it works - or at least that's the way it seemed to work for me. Don't know exactly how many posts you need but it isn't many.

"Although this mall technology might not identify specific individuals, it raises a bunch of privacy red flags," he wrote. "First, the instant the consumer identifies himself or herself anywhere in the mall (say, by using a credit or debit card to buy something), it is a trivial task to cross reference the cell phone data with the payment data and realize that the person hanging around outside the Victoria’s Secret dressing room was your 70-year-old neighbor."

All of this from signal strength?! The real magic is in how they can cross reference your debit card with your signal strength to track you.

Based on their description of a "heat map", it doesn't sound like they can track anything except the concentration of customers in different parts of the store. This is nothing like a "cookie". These is no unique data, not even anonymous unique data.

edit: Jack_o pointed this out to me.. yay for reading comprehension."While Footpath uses only the signal fingerprint of the phone[...]"

Verizon, my sons carrier, and my own carrier CSpire, tell me that if the "Location On" feature is enabled it allows "authorized" applications other than 911 services to determine a cell phone location, and that "911 only" mode only allows 911 to locate the phone if a call is placed to 911. They also stated that because the "Location On" option is enabled it does not turn the cell phone into a location beacon that is traceable simply because the phone is turned on.

So i'm guessing the location determination of this mall cell phone tracking is based upon the "Location On" setting being enabled in the phone options, and the data comes from authorized applications. So are the carriers supplying an authorized application capability or is this method exploting the "Location on" option in an unauthorized manner?

So, maybe switching the phone option to "911 only" will keep this new method from tracking the cell phone?

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.